One of the most significant threats to the cyber infrastructure is from insiders who have valid user credentials, e.g., username and password, to access systems and networks. Traditionally, network administrators have invested in firewalls and network intrusion detection systems (NIDS) to secure the perimeter of the network in hopes of keeping an attacker out. However, these solutions do not stop attacks originating inside the network. And although host intrusion detection systems (HIDS) have been used to provide some defense against inside attacks, the provided defense is limited to devices for which there is a viable client application available (e.g., a compatible network access control (NAC) client), leaving many types of devices unmanaged and insecure. This leaves an opportunity for authorized insiders to insert unauthorized devices and unmanageable systems onto the network, possibly for data exfiltration. Given the significant threat from insiders, the security of a network cannot depend only on user authentication; rather all devices that access the network should have proper authorization independent of user authorization.
To enable device-level authorization, robust techniques are needed for uniquely identifying, or fingerprinting, devices and device-types on a network. Traditional techniques like using Internet Protocol (IP) addresses or medium access control (MAC) addresses are insufficient because these identifiers can easily be changed, or “spoofed.” More recently developed techniques have improved on device and device-type fingerprinting, but these conventional techniques still suffer from several critical shortcomings. For example, many of these techniques are limited to fingerprinting only devices of certain device types, e.g., able to differentiate only between types of wireless access points (APs); are communications protocol specific, e.g., dependent on a particular feature of a target protocol to identify a device; or require actively probing the device to be identified, e.g., by sending malformed packets that can potentially alert the target device to the ID process. Other conventional techniques require physical possession or close proximity to the device to be identified, e.g., within RF range of the device; or require expensive signal-analyzer hardware to be effective. Moreover, conventional fingerprinting techniques are generally suitable only for either fingerprinting a device or fingerprinting a device type, but cannot be used to discern both pieces of information.